Here's info obtained from the same client using openssl, you can se that subject CN is fine.
localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 536805412 (0x1fff0024)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = FISICA.CABIB, CN = Certificate Authority
Validity
Not Before: Jul 14 14:25:06 2020 GMT
Not After : Jul 15 14:25:06 2022 GMT
Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
ef:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
Authority Information Access:
OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName:O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
X509v3 Subject Alternative Name:
othername: UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB,
othername: 1.3.6.1.5.2.2::<unsupported>
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
dd:92:d4:68
localadmin@fisica75:~$
And more info obtained with curl:
localadmin@fisica75:~$ curl --insecure -vvI https://ipaserver.fisica.cabib
* Trying 10.reda.cted.ip:443...
* Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
* start date: Jul 14 14:25:06 2020 GMT
* expire date: Jul 15 14:25:06 2022 GMT
* issuer: O=FISICA.CABIB; CN=Certificate Authority
* SSL certificate verify result: self-signed certificate in certificate
chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/1.1
> Host: ipaserver.fisica.cabib
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Fri, 27 May 2022 13:53:28 GMT
Date: Fri, 27 May 2022 13:53:28 GMT
< Server: Apache/redactedversion
Server: Apache/redactedversion
< Location: https://ipaserver.fisica.cabib/ipa/ui
Location: https://ipaserver.fisica.cabib/ipa/ui
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host ipaserver.fisica.cabib left intact
Also attached public cert
El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com)
escribió:
> Gustavo Berman via FreeIPA-users wrote:
> > Hello there!
> >
> > Ubuntu 18.04 (and previous ones) works just fine
> > In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails
> with:
> >
> > root@fisica75:~# ipa-client-install
> > This program will set up IPA client.
> > Version 4.9.8
> >
> > WARNING: conflicting time&date synchronization service 'ntp' will be
> > disabled in favor of chronyd
> >
> > Discovery was successful!
> > Do you want to configure chrony with NTP server or pool address? [no]:
> > Client hostname: fisica75.fisica.cabib
> > Realm: FISICA.CABIB
> > DNS Domain: fisica.cabib
> > IPA Server: ipaserver.fisica.cabib
> > BaseDN: dc=fisica,dc=cabib
> >
> > Continue to configure the system with these values? [no]: yes
> > Synchronizing time
> > No SRV records of NTP servers found and no NTP server or pool address
> > was provided.
> > Using default chrony configuration.
> > Attempting to sync time with chronyc.
> > Time synchronization was successful.
> > User authorized to enroll computers: tavo
> > Password for tavo@FISICA.CABIB:
> > Successfully retrieved CA cert
> > Subject: CN=Certificate Authority,O=FISICA.CABIB
> > Issuer: CN=Certificate Authority,O=FISICA.CABIB
> > Valid From: 2014-01-14 12:56:57
> > Valid Until: 2034-01-14 12:56:57
> >
> > Enrolled in IPA realm FISICA.CABIB
> > Created /etc/ipa/default.conf
> > Configured /etc/sssd/sssd.conf
> > Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
> > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
> > certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
> > The ipa-client-install command failed. See
> > /var/log/ipaclient-install.log for more information
> > root@fisica75:~#
> >
> > There is no Hostname mismatch for the server certificate. It has been
> > working just fine for years with multiple distros as clients. I can
> > access the website with the same URL and cert is just fine.
> >
>
> The error message is pretty clear and comes out of openssl. Can we see
> the web server certificate from that host? Can you confirm that the host
> the client connected to is actually this host (e.g. DNS or /etc/host
> issues)?
>
> rob
>
>
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
ipaserver.fisica.cabib.pem
Description: application/x509-ca-cert
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
